Symantec Endpoint Detection and Response's network control point analyzes incoming data streams while they travel through the network. This information is stored in Symantec EDR's database. Symantec EDR lets you search this database for the events that have already occurred in your environment. Symantec EDR does not support performing actions from this page. However, you can click on hyperlinks in the search results to go to entity details pages for more information and to perform actions from there.
Any user role can search the Symantec EDR database for indicators of compromise (IOC)s.
To search the Symantec EDR database for the events that are IOCs
Do one of the following:
In the EDR cloud console, click Search, select an appliance, and then click Database > Events.
In the EDR appliance console, click Search > Database > Events.
In the search query box, type your search query.
Symantec EDR validates your query and parses individual strings to determine the string type (that is, file name, hash, domain, etc.). For example, if you type test123 into the search field, Symantec EDR returns any file whose name starts with "test123". If you paste 462EE52A6C5ABC4C547492B8B569B78A into the search field, Symantec EDR returns any file with this string in its name or any file containing this hash.
Symantec EDR supports the search expressions that are written in the following format:
Symantec EDR also provides preconfigured Quick Filters for rapidly constructing queries from commonly used filter components. Use the following links to learn more about Quick Filters, operators, wildcards, and version support.